Security

    iOS Certificate Pinning Bypass (Frida & Objection)

    An iOS app's certificate pinning being disabled on a virtual jailbroken device with Objection while an intercepting proxy reads the traffic.

    iOS certificate pinning is a client-side control, so on a jailbroken or virtualized device that a tester controls, it can be bypassed with instrumentation such as Objection and Frida, or a system-wide tweak like SSL Kill Switch, all of which force the app's trust checks to pass. This is a known limit of any pinning implementation, not a specific flaw. The defensive value of understanding it is to test your own app on a device you own, confirm that pinning is actually working and is not trivially bypassable, and remember what pinning does and does not protect: it stops network interception for users on healthy devices, but it does not stop the owner of a compromised device from seeing their own traffic.

    Short answer

    Certificate pinning protects the channel on healthy devices, but a tester on a jailbroken or virtual iOS device can disable it. Objection's ios sslpinning disable command and Frida scripts hook the trust-evaluation functions to make pinning pass, and SSL Kill Switch disables validation system-wide on a jailbroken device. Per the OWASP MASVS, pinning strengthens transport security but is a client-side control that a compromised device can defeat. Use this only to test your own app on hardware you own, ideally with a proxy, and remediate by pinning robustly and, above all, enforcing trust server-side, since pinning does not protect your API from a user who controls their device.

    What certificate pinning does and why it can be bypassed

    Certificate pinning has your app check the server's certificate or public key against a copy pinned in the app, so it accepts a connection only from your real server and rejects a substitute, even one signed by an otherwise trusted certificate authority. This defeats a common network attack: an interceptor who installs a rogue but trusted certificate to read traffic is blocked, because their certificate does not match the pin. For users on normal devices, pinning is a real and worthwhile defense against man-in-the-middle interception.

    It can be bypassed for the same structural reason every client-side control can: the pinning check runs as code inside your app, and on a device the attacker controls, that code can be altered. The trust decision ultimately calls a function that returns whether the certificate is acceptable, and on a jailbroken or instrumented device a tester can hook that function to always return success, so the app proceeds as if the pin matched. This is not a defect in your pinning library; it is a property of running the check on hardware the tester owns, which is exactly the situation resilience testing assumes.

    SSL Kill Switch, Frida, and Objection

    The common iOS bypass tools fall into instrumentation and system-wide tweaks. Objection, built on Frida, includes an ios sslpinning disable command that hooks the standard iOS trust-evaluation paths, such as the Secure Transport and network trust APIs and popular networking libraries, so pinning checks pass. Frida on its own can attach to your running app and hook the specific trust functions, which is the flexible, scriptable approach testers use to target a particular implementation.

    SSL Kill Switch, currently in its second and third generations, is the system-wide option: it is a tweak installed on a jailbroken device that disables certificate validation and pinning across the whole system by hooking the trust-evaluation machinery, so every app's pinning stops working. The difference is scope and audience. Objection and Frida are targeted tools for testing a specific app, while SSL Kill Switch broadly disables pinning on the device. All three achieve the same end for your app, forcing the pinning check to pass, because all three operate on the client where that check runs.

    Corellium and test environment setup

    Because these techniques need a jailbroken or otherwise controllable iOS environment, testers use either a physical jailbroken device or a virtual one, and Corellium is the common virtual option. Corellium provides virtualized iOS devices in software, letting you run and instrument iOS, including a jailbroken state, without a physical jailbroken phone, which is why it appears in professional mobile security testing. A typical setup is a virtual or physical device you control, your own app installed on it, Frida or Objection attached, and an intercepting proxy such as a network proxy tool to observe the traffic once pinning is disabled.

    Set the environment up responsibly. Only test applications you have the right to test, use a device or virtual instance you own or are authorized to use, keep it isolated from personal accounts and production systems, and record findings so you can act on them. This mirrors how OWASP MASTG frames network and resilience testing: a controlled exercise to confirm whether pinning behaves as intended and where it fails. The point of standing up Corellium or a jailbroken device is to audit your own app's transport security, not to interfere with anyone else's traffic.

    What pinning actually protects

    Being precise about what pinning protects prevents a dangerous misuse of it. Pinning protects your users on healthy devices from a network attacker who tries to intercept their traffic, which is a genuine threat on hostile networks, so it is worth implementing. It hardens the transport channel against interception by a third party who is not the device owner, and that is its proper role.

    What pinning does not do is protect your API from the owner of the device. A user who controls their own device can bypass pinning and observe the traffic their own app sends, so pinning is not an anti-reverse-engineering measure or a way to keep your API private from your own users. Treating it as such leads to designs that assume the client can be trusted once pinning is in place, which is false on a compromised device. The correct mental model is that pinning secures the channel against outsiders, while the device owner can always see their own traffic, so anything that must be protected from that user has to be enforced elsewhere.

    Remediation: robust pinning and server-side trust

    Remediation has two parts: implement pinning well, and never rely on it alone. Pin to the public key or subject public key info rather than a leaf certificate so rotation is manageable, include backup pins so a certificate change does not break your app, and consider a native implementation, which is harder to hook than a drop-in library. These steps raise the effort required to bypass pinning and keep it working smoothly for legitimate users, which is the realistic goal.

    The more important half is server-side trust. Because a determined user can defeat client pinning, the server must authenticate and authorize every request rather than trusting the client because pinning is present, and sensitive operations should be gated on server-side checks. For stronger assurance that a request comes from your genuine, unmodified app, add Apple's App Attest, whose verdict is validated on your server and is far harder to forge than a client-side pin. Combine robust pinning for channel protection with server-side authorization and attestation for real trust, and design as if the client may be compromised, which is the durable posture.

    Bypass approaches and their limits

    Seeing the layers together shows where trust should live. The table below compares them.

    LayerWhat it doesLimitation
    Certificate pinning in the appRejects substitute server certificates, blocks interceptionRuns on the device, hookable when compromised
    SSL Kill Switch tweakDisables validation and pinning system-wideNeeds a jailbroken device
    Frida or Objection hooksForce the trust check to passAny client-side check can be flipped
    Server-side authorization and App AttestValidates the request and app integrity server-sideHarder to forge; carries the real trust

    Read the table top to bottom: pinning and its bypasses all live on the client, while only server-side validation, which the device owner does not control, actually anchors trust.

    Hardening checklist

    Working through these steps keeps pinning effective while putting real trust server-side. The checklist below covers them.

    StepActionDone?
    Test on your own appJailbroken or virtual device and a proxy you control[ ]
    Pin robustlyPublic-key pins, backup pins, native where possible[ ]
    Do not rely on pinning aloneAuthorize every request server-side[ ]
    Add client integrityApp Attest for sensitive operations[ ]
    Assume the owner sees trafficProtect the API server-side, not via pinning[ ]
    Plan pin rotationBackup pins to avoid outages on cert change[ ]

    The step that changes your posture most is authorizing every request server-side, because it puts the deciding check where the device owner cannot alter it, unlike the pinning above it.

    Assess your network-security posture

    Because transport security is about more than a single pin, seeing your app's actual posture helps, including whether pinning is present, whether cleartext traffic is allowed, and how sensitive data travels. Knowing this is the input to hardening the channel and deciding what must be enforced server-side.

    A scanner like PTKD.com analyzes your build and reports issues such as weak transport security, allowed cleartext traffic, insecure data storage, and leaked keys by severity, mapped to OWASP MASVS, whose network category covers pinning and transport hardening. To be clear about the boundary: PTKD does not make pinning unbreakable, which nothing can on a compromised device, and it does not test a live bypass. It helps you see your transport and data-protection posture so you invest in the layers that actually carry trust.

    What to take away

    • iOS certificate pinning is a client-side control, so on a jailbroken or virtual device a tester can disable it with Objection, Frida, or SSL Kill Switch.
    • Objection's ios sslpinning disable and Frida hooks target a specific app, while SSL Kill Switch disables validation system-wide, and Corellium provides a virtual iOS device for testing without physical jailbroken hardware.
    • Test this only against your own app on a device you own, as a controlled OWASP-style network assessment, ideally with an intercepting proxy.
    • Pinning protects users on healthy devices from interception, but it does not protect your API from the owner of a compromised device, so never treat it as anti-reverse-engineering.
    • Pin robustly with backup public-key pins, enforce trust server-side with authorization and App Attest, and review your transport posture with a tool like PTKD.com.
    • #certificate pinning
    • #ios
    • #frida
    • #objection
    • #owasp masvs

    Frequently asked questions

    Can iOS certificate pinning be bypassed?
    Yes, on a device the tester controls. Pinning runs as code inside your app, and on a jailbroken or virtualized iOS device that code can be hooked to accept any certificate, so instrumentation like Objection and Frida or a system-wide tweak like SSL Kill Switch forces the trust check to pass. This is a structural limit of client-side controls, not a flaw in your pinning library, so treat pinning as channel protection, not an unbreakable boundary.
    What is SSL Kill Switch and how does it differ from Frida?
    SSL Kill Switch, in its second and third generations, is a tweak installed on a jailbroken device that disables certificate validation and pinning system-wide by hooking the trust-evaluation machinery, so every app's pinning stops. Frida and Objection are instrumentation that attach to a specific app and hook its trust functions, with Objection offering an ios sslpinning disable command. The difference is scope: SSL Kill Switch is broad and system-wide, while Frida and Objection are targeted at testing one app.
    How do I set up a test environment with Corellium?
    Corellium provides virtualized iOS devices in software, including a jailbroken state, so you can run and instrument iOS without a physical jailbroken phone. A typical setup is a virtual or physical device you control, your own app installed, Frida or Objection attached, and an intercepting proxy to observe traffic once pinning is disabled. Only test apps you have the right to test, keep the environment isolated from personal accounts and production, and record findings to act on.
    What does certificate pinning actually protect?
    It protects your users on healthy devices from a network attacker intercepting their traffic, for example someone on a hostile network installing a rogue trusted certificate, which the pin rejects. What it does not protect is your API from the owner of the device: a user who controls their device can bypass pinning and see their own traffic. So pinning secures the channel against outsiders but is not anti-reverse-engineering or a way to keep your API private from your own users.
    How do I make pinning harder to bypass?
    Implement it well and never rely on it alone. Pin to the public key or subject public key info rather than a leaf certificate so rotation is manageable, include backup pins so a certificate change does not break the app, and consider a native implementation, which is harder to hook than a drop-in library. These raise the effort to bypass and keep pinning working for legitimate users, but a determined user on their own device can still defeat it.
    What is the durable defense if pinning is bypassable?
    Server-side trust. Because a determined user can defeat client pinning, the server must authenticate and authorize every request rather than trusting the client, and sensitive operations should be gated on server-side checks. For stronger assurance that a request comes from your genuine, unmodified app, add Apple's App Attest, whose verdict is validated on your server. Combine robust pinning for channel protection with server-side authorization and attestation for real trust.

    Keep reading

    Scan your app in minutes

    Upload an APK, AAB, or IPA. PTKD returns an OWASP-aligned report with copy-paste fixes.

    Try PTKD free